Control: severity -1 grave Control: tags -1 patch pending On Sat, 25 Oct 2014 01:53:14 +0200 =?UTF-8?B?QsOhbGludCBSw6ljemV5?= <bal...@balintreczey.hu> wrote: > Package: pidgin-encryption > Version: 3.1-1:amd64 > Severity: important > > Dear Maintainer, > > Pidgin-encryption generates 1024 bit keys by default, while they are > now considered to be weak. > Please switch to defaulting to 4096 bit keys. > > I'm setting severity to important since the aim of this package is > providing strong security with little work, thus IMO the defaults > should provide strong encryption. IMO providing an insecure default is introducing a security hole thus a higher severity is reasonable.
I have uploaded a source only NMU to DELAYED/5 with the attached patch. Cheers, Balint
diff -Nru pidgin-encryption-3.1/debian/changelog pidgin-encryption-3.1/debian/changelog --- pidgin-encryption-3.1/debian/changelog 2010-05-02 03:46:02.000000000 +0200 +++ pidgin-encryption-3.1/debian/changelog 2014-12-25 15:10:18.000000000 +0100 @@ -1,3 +1,11 @@ +pidgin-encryption (3.1-1.1) unstable; urgency=medium + + * Non-maintainer upload. + * Default to 4096 bits when creating new keys (Closes: #766700) + * Pass hardening flags to configure + + -- Balint Reczey <bal...@balintreczey.hu> Thu, 25 Dec 2014 13:43:08 +0100 + pidgin-encryption (3.1-1) unstable; urgency=low * new upstream release diff -Nru pidgin-encryption-3.1/debian/patches/Default-to-4096-bit-keys pidgin-encryption-3.1/debian/patches/Default-to-4096-bit-keys --- pidgin-encryption-3.1/debian/patches/Default-to-4096-bit-keys 1970-01-01 01:00:00.000000000 +0100 +++ pidgin-encryption-3.1/debian/patches/Default-to-4096-bit-keys 2014-12-25 18:34:20.000000000 +0100 @@ -0,0 +1,39 @@ +Description: Default to 4096 bits when creating new keys + The previous, 1024 bit default key size is not considered to be safe + anymore thus whw should not offer it as default. + . +Author: Balint Reczey <bal...@balintreczey.hu> +Bug-Debian: https://bugs.debian.org/766700 +Forwarded: no + +--- pidgin-encryption-3.1.orig/config_ui.c ++++ pidgin-encryption-3.1/config_ui.c +@@ -227,7 +227,7 @@ static void config_regen_key(GtkWidget* + + key_size_entry = gtk_entry_new(); + gtk_entry_set_max_length(GTK_ENTRY(key_size_entry), 5); +- gtk_entry_set_text(GTK_ENTRY(key_size_entry), "1024"); ++ gtk_entry_set_text(GTK_ENTRY(key_size_entry), "4096"); + gtk_table_attach(GTK_TABLE(table), key_size_entry, 1, 2, 1, 2, + 0, 0, 0, 0); + gtk_widget_set_size_request(key_size_entry, 85, -1); +--- pidgin-encryption-3.1.orig/keys.c ++++ pidgin-encryption-3.1/keys.c +@@ -99,7 +99,7 @@ crypt_key * PE_find_own_key_by_name(key_ + PURPLE_MESSAGE_SYSTEM, time((time_t)NULL)); + } + +- PE_make_private_pair((crypt_proto *)crypt_proto_list->data, name, conv->account, 1024); ++ PE_make_private_pair((crypt_proto *)crypt_proto_list->data, name, conv->account, 4096); + + key = PE_find_key_by_name(*ring, name, conv->account); + if (key) return key; +@@ -856,7 +856,7 @@ void PE_key_rings_init() { + proto_node = crypt_proto_list; + /* make a pair using the first protocol that comes to mind. */ + /* user can override using the config tool */ +- PE_make_private_pair((crypt_proto *)proto_node->data, name, (PurpleAccount*)(cur_sn->data), 1024); ++ PE_make_private_pair((crypt_proto *)proto_node->data, name, (PurpleAccount*)(cur_sn->data), 4096); + } else { /* There is a private key */ + if (pub_key == NULL) { /* but no public key */ + purple_debug(PURPLE_DEBUG_ERROR, "pidgin-encryption", "No public key found for %s\n", name); diff -Nru pidgin-encryption-3.1/debian/patches/series pidgin-encryption-3.1/debian/patches/series --- pidgin-encryption-3.1/debian/patches/series 2010-05-02 04:07:50.000000000 +0200 +++ pidgin-encryption-3.1/debian/patches/series 2014-12-25 13:12:07.000000000 +0100 @@ -1 +1,2 @@ libnss.patch +Default-to-4096-bit-keys diff -Nru pidgin-encryption-3.1/debian/rules pidgin-encryption-3.1/debian/rules --- pidgin-encryption-3.1/debian/rules 2010-05-02 03:30:28.000000000 +0200 +++ pidgin-encryption-3.1/debian/rules 2014-12-25 15:09:46.000000000 +0100 @@ -17,7 +17,7 @@ build: build-stamp build-stamp: autotools dh_testdir - ./configure --prefix=/usr + ./configure --prefix=/usr $(shell dpkg-buildflags --export=configure) $(MAKE) touch build-stamp
